Over the last decade, malicious software (malware) has become a pervasive problem. In some situations, malware is an object embedded within downloadable content designed to adversely influence or attack normal operations of a computer. Examples of different types of malware may include computer viruses, Trojan horses, worms, spyware, backdoors, and other programming that operates maliciously within an electronic device (e.g. computer, tablet, smartphone, server, router, wearable technology, or other types of electronics with data processing capability) without permission by the user or an administrator.
For instance, content may be embedded with objects associated with a web page hosted by a malicious web site. By downloading this content, malware causing another web page to be requested from a malicious web site may be unknowingly installed on the computer. Similarly, malware may also be installed on a computer upon receipt or opening of an electronic mail (email) message. For example, an email message may contain an attachment, such as a Portable Document Format (PDF) document, with embedded executable malware. Also, malware may exist in files infected through any of a variety of attack vectors, which are uploaded from an infected computer onto a networked storage device such as a file share.
Over the past few years, various types of security appliances have been deployed at different segments of a network. These security appliances use virtual machines to uncover the presence of malware embedded within ingress content propagating over these different segments. However, in order to be effective in uncovering the malware, the virtual machine (VM) needs to make the suspicious content believe that it has accessed a live machine and not just a VM or “sandbox” environment. Thus, any actions that are performed in the VM or “sandbox” have to be as invisible as possible to malware so that the malware does not detect that it is being processed within a sandbox rather than a production computer system. Further, the VM may only exercise each specimen for a finite amount of time so that it may subsequently analyze as many specimens as possible in as short a period of time as possible. Accordingly, some malicious contents employ special defensive strategies to enable them to delay their own execution in order to bypass the VM uncovering their presence.